We use cookies to provide the best site experience.

FINMA Guidance 05/2020: duty to report the cyber attacks

May 8, 2020 | Financial Market News

FINMA Guidance 05/2020: duty to report the cyber attacks

On 7th May, FINMA published Guidance 05/2020: duty to report cyber attacks pursuant to Art. 29 para. 2 FINMASA.

Since the institutions supervised by FINMA are under the risk of cyber-attacks, FINMA reminds those institutions to fulfil the requirements under Article 29 para. 2 FINMASA, specifically to immediately report any incident that is of substantial importance to the supervision. This comprises vital cases concerning successful or partially successful cyber attacks.
Cyber attacks of substantial importance to the supervision
The protection of both the individuals and the financial markets with regard to cyber-attacks are considered of substantial importance.

The main focus is on products or services of supervised institutions and their underlying business processes as well as their critical assets, where the cyber-attack can lead to the failure or dysfunction. This may damage the protective goal of availability, integrity and confidentiality of information. Such attacks can also jeopardise the data.

If a cyber-attack on critical assets results in one or more of the protective goals of essential functions and the business processes are under risk - this must be reported to FINMA immediately.
FINMA Guidance 05/2020 cyber attacks
Immediate reporting to FINMA
The affected supervised institution reports to FINMA through the responsible (Key) Account Manager within 24 hours of detecting the cyber-attack and manages an initial evaluation of it. The actual report should be provided within 72 hours via the FINMA web-based survey and application platform (EHP)7,8.

If the new developments under the same cyber-attack occur (after the report to FINMA), a new report should be provided within 72 hours.
Source: https://www.finma.ch/en/documentation/finma-guidance/

Legal disclaimer. This article does not constitute legal advice and does not establish an attorney-client relationship. The article should be used for informational purposes only.

Show more